← Back to team overview

ubuntu-mail-server team mailing list archive

  1. ubuntu-mail-server team
  2. Mailing list archive
  3. Message #00163

[Bug 1857618] Re: opendkim generate an invalid signature if one header is fold just after the header name

  Thread PreviousDate PreviousThread Next 
Hello David,

Thank you for your quick reply.

I attached a php script (bug_21857618.php) to reproduce the issue.

You can run it with `php bug_21857618.php test@xxxxxxxxxxx 0` to have an invalid DKIM signature.
You can run it with `php bug_21857618.php test@xxxxxxxxxxx 1` to have valid DKIM signature.

Just replace test@xxxxxxxxxxx by a valid DKIM-signed domain.

Look at the way "Suject:" is written in both cases.

Here is my opendkim conf file :

```
# cat /etc/opendkim.conf
Syslog                  yes
LogResults              yes
LogWhy                  yes
UMask                   007
Socket                  local:/var/run/opendkim/opendkim.sock
PidFile                 /var/run/opendkim/opendkim.pid
OversignHeaders         From
TrustAnchorFile         /usr/share/dns/root.key
UserID                  opendkim
KeyTable                /etc/mail/KeyTable
SigningTable            /etc/mail/SigningTable
Mode                    s
SubDomains              yes
MultipleSignatures      yes
InternalHosts           refile:/etc/mail/InternalHosts
Socket                  inet:8891@localhost
```

I tried the php script on a Debian 8 server with this simplified config
file and the problem is already here :

```
# cat /etc/opendkim.conf
Syslog                  yes
UMask                   002
KeyTable                /etc/mail/KeyTable
SigningTable            /etc/mail/SigningTable
OversignHeaders         From
```

If you can't reproduce the case, I'm interesting that you send me a
valid DKIM-signed email with the folded "Subject:" header.

---

> Perhaps some other component at your site or in transit is altering the
folding or line terminators? Anything unusual about your system and
configuration? 

I tried on multiples servers (Ubuntu 18.04, Ubuntu 16.04, Debian 8) and
the problem is here.

> Perhaps try setting Canonicalization to ‘relaxed/relaxed’
and see if the verification result changes

I haven't tried this but I only change a little bit the "Subject:"
header for one time having a valid DKIM signature and the other an
invalid signature. I don't think that this will solve the issue or if so
I don't understand why.

Thank you again for your reply and your tests to reproduce the problem,


Guillaume

```
# dpkg -l | grep opendkim
ii  libopendkim11                         2.11.0~alpha-11build1                           amd64        Library for signing and verifying DomainKeys Identified Mail signatures
ii  opendkim                              2.11.0~alpha-11build1                           amd64        Milter implementation of DomainKeys Identified Mail
# dpkg -l | grep postfix
ii  postfix                               3.3.0-1ubuntu0.2                                amd64        High-performance mail transport agent
# dpkg -l |grep php-cli
ii  php-cli                               1:7.2+60ubuntu1                                 all          command-line interpreter for the PHP scripting language (default)
# cat /etc/postfix/main.cf | grep milter
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
```

** Attachment added: "bug_21857618.php"
   https://bugs.launchpad.net/ubuntu/+source/opendkim/+bug/1857618/+attachment/5315817/+files/bug_21857618.php

-- 
You received this bug notification because you are a member of Ubuntu
Mail Server, which is subscribed to opendkim in Ubuntu.
https://bugs.launchpad.net/bugs/1857618

Title:
  opendkim generate an invalid signature if one header is fold just
  after the header name

Status in opendkim package in Ubuntu:
  New

Bug description:
  opendkim generate an invalid signature if one header is fold just
  after the header name

  Expected : the email is well signed.

  Actual : Signature is invalid.

  How to reproduce ? Send the email just below by replacing
  "example.com" by a valid DKIM-signed domain. I used postfix to send
  the email.

  Here is a source .eml email that will fail to be correctly signed by
  opendkim :

  ```
  From: <test@xxxxxxxxxxx>
  To: <test@xxxxxxxxxxx>
  Subject: 
   Folding_White_Space_and_too_long_subject_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

  Test
  ```

  opendkim generate an invalid signature with this email because of the
  "Subject:" folding white space.

  The signature is valid if the "Subject:" is written in one line :

  ```
  Subject: Folding_White_Space_and_too_long_subject_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  ```

  Ubuntu 18.04.3 LTS
  opendkim : 2.11.0~alpha-11build1

  ---

  This bug occurs for all headers signed by opendkim (not only with
  "Subject:").

  This syntax seems valid. At least Gmail, Outlook, Thunderbird display
  the subject correctly.

  https://www.ietf.org/rfc/rfc5322.txt :

  > Unfolding is accomplished by simply removing any CRLF
  >    that is immediately followed by WSP.  Each header field should be
  >    treated in its unfolded form for further syntactic and semantic
  >    evaluation.  An unfolded header field has no length restriction and
  >    therefore may be indeterminately long.

  Gmail and opendkim itself consider the signature as invalid.

  opendkim :

  ```
  Authentication-Results: xxx.example.com (amavisd-new); dkim=fail (2048-bit key)
  	reason="fail (message has been altered)" header.d=example.com
  	header.b=ABCDEF; 
  ```

  Gmail:

  ```
  ARC-Authentication-Results: i=1; mx.google.com;
         dkim=fail header.i=@example.com header.s=xxxxxxx header.b="a/aaaaaa";
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opendkim/+bug/1857618/+subscriptions

References

  Thread PreviousDate PreviousThread Next